polipo: DoS via overly large "Content-Length" header

Debian Bug report logs - #560779
polipo: DoS via overly large "Content-Length" header

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: submit@bugs.debian.org

Subject: polipo: DoS via overly large "Content-Length" header

Date: Sat, 12 Dec 2009 00:45:58 -0600

Package: polipo
Version: 0.9.12-1
Severity: grave
Tags: security

Hi,

A vulnerability has been found in polipo that allows a remote attacker to 
crash the daemon via an overly large "Content-Length" header.
The vulnerability is caused by connection->reqlen (in client.c: 
httpClientDiscardBody()) being a signed integer which can be overflowed 
turning it into a negative value which later leads to a segmentation fault in 
the call to memmove.

If you fix this vulnerability please include the CVE id in your changelog 
entry, when one is assigned. Please work with the security team to fix this 
vulnerability in the stable and oldstable releases.

For further information see:
http://www.exploit-db.com/exploits/10338
http://secunia.com/advisories/37607/

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #10 received at 560779@bugs.debian.org (full text, mbox, reply):

From: Andreas Kirschbaum <kirschbaum@in-medias-res.com>

To: 560779@bugs.debian.org, control@bugs.debian.org

Subject: Patch to fix crash

Date: Sun, 24 Jan 2010 17:50:10 +0100

[Message part 1 (text/plain, inline)]

tag 560779 + patch
thanks

The attached patch includes a commit from the upstream sources that fixes the crash.

[polipo_1.0.4-1.2.diff (text/x-diff, attachment)]

Message #15 received at 560779@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Andreas Kirschbaum <kirschbaum@in-medias-res.com>

Cc: 560779@bugs.debian.org

Subject: Re: Patch to fix crash

Date: Tue, 26 Jan 2010 00:00:16 +0100

[Message part 1 (text/plain, inline)]

On Sun, Jan 24, 2010 at 17:50:10 +0100, Andreas Kirschbaum wrote:

> tag 560779 + patch
> thanks
> 
> The attached patch includes a commit from the upstream sources that fixes the crash.

Hey Andreas,

did this get uploaded at the BSP, or do you need a sponsor for the NMU?

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 560779-close@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: 560779-close@bugs.debian.org

Subject: Bug#560779: fixed in polipo 1.0.4-2

Date: Wed, 27 Jan 2010 16:09:21 +0000

Source: polipo
Source-Version: 1.0.4-2

We believe that the bug you reported is fixed in the latest version of
polipo, which is due to be installed in the Debian FTP archive:

polipo_1.0.4-2.diff.gz
  to main/p/polipo/polipo_1.0.4-2.diff.gz
polipo_1.0.4-2.dsc
  to main/p/polipo/polipo_1.0.4-2.dsc
polipo_1.0.4-2_i386.deb
  to main/p/polipo/polipo_1.0.4-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated polipo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 27 Jan 2010 15:01:52 +0100
Source: polipo
Binary: polipo
Architecture: source i386
Version: 1.0.4-2
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 polipo     - a small, caching web proxy
Closes: 560779
Changes: 
 polipo (1.0.4-2) unstable; urgency=high
 .
   [ Andreas Kirschbaum ]
   * Apply upstream commit to fix DoS via overly large "Content-Length"
     header; fixes CVE-2009-3305 (closes: #560779)
 .
   [ Julien Cristau ]
   * QA upload.
   * Set Maintainer to Debian QA Group (see #566150).
   * High urgency for RC bugfix.
Checksums-Sha1: 
 8aa9d232a4228ccb34d82a5352ed29b426793c45 1665 polipo_1.0.4-2.dsc
 20d96b11c32f6cdc7703b52d99b733bf0cc77e3a 11235 polipo_1.0.4-2.diff.gz
 2a77dbaae3a0c3a42d5c7436b7fdbc061176a4f9 190834 polipo_1.0.4-2_i386.deb
Checksums-Sha256: 
 6a2b6f817fd95456b7816745e0d4bc9845b0b2ce79081232800a067ef0bd427c 1665 polipo_1.0.4-2.dsc
 ced798555a15a31f8930cea4f4431f7928e5ab5904354278a1439de3c6b121d3 11235 polipo_1.0.4-2.diff.gz
 0a69d41929aa3b14681070d441075ad92d7eb011a42e1710a3328ff20a851737 190834 polipo_1.0.4-2_i386.deb
Files: 
 7e9a3475a5e49a1e5061898fa8ac99ba 1665 web optional polipo_1.0.4-2.dsc
 0f3e70bee762b43716161553e1ca9f8b 11235 web optional polipo_1.0.4-2.diff.gz
 bef6b3786ff0e6105dd3ef0047ccbf60 190834 web optional polipo_1.0.4-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJLYElvAAoJEDEBgAUJBeQMiBoQAKVYopiC8WQD1SQsmrm6IQMn
zeqDJ6uQDQ/5XsH6LUB9/8TW3nEuRJr+AeYbi+VXtdwCeN6I7Hf3voGm+hWfMKte
V+bAEkyJWnlgEcW8zJeUctekcJlG/9OQyk67q660eZJ1MRv2RToRxYCz9wUs77Le
cIoGhKCxsPknBMwmiv001o9gfnhGpU88KOkDrVwAW1h8XeSnDtEzcOSVWHhtxSLc
ZwijAut2z2raANxUaV+Q71NNjqF4H0rAfjgr4iL7Fppe1idDYozVNyNlZ1lVyxFx
X5So+DDaNl1CmCgJZeEhUNi7UMhAyfjldaskf6hfGCpbDZRomnxlM36mdVdDy1sG
JsI0+fbIoqygPTXaT++apFvIaX4BcT0FhmRbw9SnYrmoXjW6Tj+S46b3uOkv8myX
Z98rXHf+RLePjoOzAm93sLqF0fFzYEfYnJrGB6J69qHpk7NZ0qQxcoUorfo6fJy0
UtaCxEqeEAcWMVjfa5Kyuaa/BjZAoTFe65L7uUGKiJqG1mqzw7TCNRLspr8JF/yU
NCriOPJ58sNC0Q2c/RZVMxqvjDUxSopDJhzEUZDU/0CGNS8f56v+l2hWbCmALdh+
FUJFMC7aaujLVPxZuuTLzQeoX0WiUnDW1lFCiKRpbplsntkwgBROMLiz4SA5Jqjf
gELtCdbJTPdi4Qj22hl2
=SR5u
-----END PGP SIGNATURE-----

Message #25 received at 560779-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 560779-close@bugs.debian.org

Subject: Bug#560779: fixed in polipo 1.0.4-1+lenny1

Date: Fri, 19 Feb 2010 19:55:35 +0000

Source: polipo
Source-Version: 1.0.4-1+lenny1

We believe that the bug you reported is fixed in the latest version of
polipo, which is due to be installed in the Debian FTP archive:

polipo_1.0.4-1+lenny1.diff.gz
  to main/p/polipo/polipo_1.0.4-1+lenny1.diff.gz
polipo_1.0.4-1+lenny1.dsc
  to main/p/polipo/polipo_1.0.4-1+lenny1.dsc
polipo_1.0.4-1+lenny1_i386.deb
  to main/p/polipo/polipo_1.0.4-1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated polipo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 17 Feb 2010 20:31:37 +0100
Source: polipo
Binary: polipo
Architecture: source i386
Version: 1.0.4-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Denis V. Sirotkin <fechiny@gmail.com>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 polipo     - a small, caching web proxy
Closes: 547047 560779
Changes: 
 polipo (1.0.4-1+lenny1) stable-security; urgency=high
 .
   [ Stefan Fritsch ]
   * Non-maintainer upload by the Security Team.
   * Backport various security related bug fixes from upstream git.
   * Fix segfault when server sends Cache-Control: max-age without a value
     (closes: #547047, CVE-2009-3305).
 .
   [ Andreas Kirschbaum ]
   * Apply upstream commit to fix DoS via overly large "Content-Length"
     header; fixes CVE-2009-4413 (closes: #560779)
Checksums-Sha1: 
 485ac6e4844c157bd4e0ebd56302aa82e694dec6 1042 polipo_1.0.4-1+lenny1.dsc
 ba562906d125a6bf72dc36c2d078147d40cf8722 180487 polipo_1.0.4.orig.tar.gz
 1808bdf4f47219863d7de6894af2fbab98f93500 13430 polipo_1.0.4-1+lenny1.diff.gz
 f253afca3c423bd3b0789db7655f9db6c7662f80 191848 polipo_1.0.4-1+lenny1_i386.deb
Checksums-Sha256: 
 90a376437eb8e4ccde04e6cb7dc541037c69cf7fdb7a94b236456e853be96e93 1042 polipo_1.0.4-1+lenny1.dsc
 f6458a3ab2548280d4f5596f8d5ae60c61ddf7147ee0b3bb2d67b96da49c0436 180487 polipo_1.0.4.orig.tar.gz
 b4eaf56b26226f0681df3473271eb5110e4fff6acca549a5160f04e05a9aa8e8 13430 polipo_1.0.4-1+lenny1.diff.gz
 9f8c0507255e42052aee2604ee8aeb7fc475f5bc1a83444046cf427722a5bd24 191848 polipo_1.0.4-1+lenny1_i386.deb
Files: 
 4bb50ed5472fcd6b264cb89816586bbe 1042 web optional polipo_1.0.4-1+lenny1.dsc
 defdce7f8002ca68705b6c2c36c4d096 180487 web optional polipo_1.0.4.orig.tar.gz
 4cc90f3327e4018c56b4e140cbcb2f46 13430 web optional polipo_1.0.4-1+lenny1.diff.gz
 33af29a3f9e091dd6437fc3f3bfccab9 191848 web optional polipo_1.0.4-1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD4DBQFLfE0tbxelr8HyTqQRAmmRAJ47Hx4C3QUud/up/BzZhk8sVS4ajgCY46fY
eeuA08NSfFby46IUIzFbbQ==
=6XhM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.